Microsoft VBS Announcement is Good News – With a Few Caveats

You should understand access to the new security is limited – are you in “the club”?

It’s easy to start getting the benefits of VBS right now. It’s what we do.

Microsoft’s security enhancement to Windows 10 using virtualization-based security (VBS) that hardware isolates their Edge browser is exciting news. It validates what we pioneered (and have multiple patents for) years ago.

But if you’re thinking about taking advantage of the new VBS features, there are some considerations that you should take into account.

Limited applicability means you still need to be careful.

I think it’s wonderful that Microsoft has introduced virtualization-base security in Windows 10. But, you have to be part of the Enterprise of Education license club to take advantage of this new functionality. If you were thinking that you could enable VBS on your home Windows machines, sorry, that’s not how it works.

Furthermore, if you want to take advantage of VBS organizationally to protect against things like, pass-the-hash attacks and to perform kernel code integrity checks, there is another consideration you need to take into account.

The Windows 10 implementation of VBS has hardware device feature dependencies including UEFI-based Secure Boot. That means, if you’ve upgraded from a BIOS-booted Windows operating system to Windows 10, you’re out of luck. You need to upgrade your hardware to something that supports UEFI-based Secure Boot.

Microsoft does warn users that many current devices cannot take advantage Device Guard features due to strict hardware requirements.

The power of VBS is available to you now and along your upgrade journey.

Most organizations replace endpoints over a three-year cycle. Typically, they don’t replace all of the endpoints at once. They stagger the replacement to carry the cost and resources requirement over a three-year period. Also, usually at least a third of the hardware is redistributed with operating system and application upgrades. That means that you are probably have a number of Windows 10 devices that cannot use Microsoft’s built-in virtualization-based security.

As the pioneers of virtualization-based security, we don’t believe that it should be limited only to specific use cases. Bromium supports Windows 7, 8 and 10 endpoints, and seamlessly supports Windows 10 VBS. Moreover, Bromium uses micro-virtualization to hardware-isolate any untrusted task (e.g. running apps, downloading documents) so that it runs completely isolated from the operating system.

Start seriously improving your security today.

Even if you are already on Windows 10 and using VBS, Bromium enhances the security by isolating every single task performed by the end user. Bromium isolation technology works in conjunction with other Bromium security features including our Sensor Network that turns your enterprise assets (endpoints and servers) into your best defense. Each sensor performs threat analysis and instantly shares indicators of compromise (IOCs) with the rest of the network for faster time-to-resolution.

If you take security seriously – and you want to worry less about breaches, malware, and threats – you owe it to yourself to see what we have to offer. If you’d like to see a short example of Bromium at work, watch this 90-second demo on how stop ransomware. It’s an easy way to see how VBS can keep your organization safe.